FoggyWeb
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
FoggyWeb can retrieve configuration data from a compromised AD FS server.[1] |
|
| Enterprise | T1036 | 伪装 |
FoggyWeb can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file.[1] |
|
| .005 | Match Legitimate Name or Location |
FoggyWeb can be disguised as a Visual Studio file such as |
||
| Enterprise | T1550 | 使用备用认证材料 |
FoggyWeb can allow abuse of a compromised AD FS server's SAML token.[1] |
|
| Enterprise | T1129 | 共享模块 |
FoggyWeb's loader can call the |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
FoggyWeb has used a dynamic XOR key and custom XOR methodology for C2 communications.[1] |
| Enterprise | T1574 | .001 | 劫持执行流: DLL Search Order Hijacking |
FoggyWeb's loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate |
| Enterprise | T1620 | 反射性代码加载 |
FoggyWeb's loader has reflectively loaded .NET-based assembly/payloads into memory.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
FoggyWeb can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
FoggyWeb has the ability to communicate with C2 servers over HTTP GET/POST requests.[1] |
| Enterprise | T1560 | .002 | 归档收集数据: Archive via Library |
FoggyWeb can invoke the |
| .003 | 归档收集数据: Archive via Custom Method |
FoggyWeb can use a dynamic XOR key and a custom XOR methodology to encode data before exfiltration. Also, FoggyWeb can encode C2 command output within a legitimate WebP file.[1] |
||
| Enterprise | T1083 | 文件和目录发现 |
FoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server.[1] |
|
| Enterprise | T1552 | .004 | 未加密凭证: Private Keys |
FoggyWeb can retrieve token signing certificates and token decryption certificates from a compromised AD FS server.[1] |
| Enterprise | T1106 | 本机API |
FoggyWeb's loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed.[1] |
|
| Enterprise | T1027 | .004 | 混淆文件或信息: Compile After Delivery |
FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.[1] |
| .013 | 混淆文件或信息: Encrypted/Encoded File | |||
| Enterprise | T1040 | 网络嗅探 |
FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.[1] |
|
| Enterprise | T1057 | 进程发现 |
FoggyWeb's loader can enumerate all Common Language Runtimes (CLRs) and running Application Domains in the compromised AD FS server's |
|
| Enterprise | T1041 | 通过C2信道渗出 |
FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server.[1] |
|